Comments on: (Fix) r3953724.cn Malware/Adware Redirections

By: Propeller Head

Propeller Head — Fri, 30 Oct 2009 04:25:56 +0000

You’re very welcome guys – glad I could help! 8^)

By: Alan

Alan — Fri, 30 Oct 2009 02:42:06 +0000

Agreed, kudos to Propellor Head – I had seen atapi.sys show up on something in a scan – HijackThis perhaps – but hadn’t paid any attention to it because it was in the right place, with the right name, and I was working with CD-based files since I couldn’t download directly.

By: Grateful_Reader

Grateful_Reader — Thu, 29 Oct 2009 21:03:10 +0000

Thanks a million, Propeller Head — that did the trick! How the heck did you figure this out?

Mad props, my friend. =)

By: Propeller Head

Propeller Head — Thu, 29 Oct 2009 13:30:48 +0000

It’s a rootkit in atapi.sys. I successfully cleaned my infection last night. Use the newest version of ComboFix – it detects and cleans it. Make sure you allow it to install the recovery console if it’s not already resident. Good luck!

By: Alan

Alan — Thu, 29 Oct 2009 03:20:37 +0000

I’ve left it with Kaspersky’s boot CD scanning to see if it’ll pick anything up. It doesn’t seem to be actively going out, but when you use the browser it does redirect.
I’ve left a note for the users in the office to not use it, because not all of the redirects are failing – some are going to a variety of hacked sites, which then redirect to advertising or malware (one of those redirects to a malware site was caught by AVG).

By: Rod I

Rod I — Thu, 29 Oct 2009 03:01:56 +0000

I have the same issue. For now, I have the local loopback in host file pointed to r3953724.cn to avoid the google redirect.
Malware, CA AV, CA PP not detecting anything. IE Addons disabled as well.